Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Protocol Analysis Jonathan Millen SRI International.

Similar presentations


Presentation on theme: "Cryptographic Protocol Analysis Jonathan Millen SRI International."— Presentation transcript:

1 Cryptographic Protocol Analysis Jonathan Millen SRI International

2 Cryptographic Protocols in Use Cryptographic protocol: an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material. Applications: military communications, business communications, electronic commerce, privacy Examples: Kerberos: MIT protocol for unitary login to network services SSL (Secure Socket Layer, used in Web browsers), TLS IPSec: standard suite of Internet protocols due to the IETF ISAKMP, IKE, JFK,... Cybercash (electronic commerce) EKE, SRP (password -based authentication) PGP (Pretty Good Privacy)

3 The Security Threat: Active Attacker (Dolev - Yao model) Attacker can: -intercept all messages -modify addresses and data Attacker cannot: -encrypt or decrypt without the key (ideal encryption)

4 A Simple Example The Needham-Schroeder public-key handshake (R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” CACM, Dec., 1978) A  B: {A, Na}pk(B) B  A: {Na, Nb}pk(A) A  B: {Nb}pk(B) This is an “Alice-and-Bob” protocol specification Na and Nb are nonces (used once) pk(A) is the public key of A A and B authenticate each other, Na and Nb are secret The protocol is vulnerable...

5 The Attack AMB {A,Na}pk(M){A,Na}pk(B) {Na,Nb}pk(A) {Nb}pk(M) {Nb}pk(B) Lowe, “Breaking and Fixing the Needham-Schroeder Public Key Protocol Using FDR,” Proc. TACAS 1996, LNCS 1055 (normal) (thinks he’s talking to A, Nb is compromised) A malicious party M can forge addresses, deviate from protocol (false)

6 Why Protocol Analysis is Hard

7 What Makes Protocol Analysis Hard? The attacker. Unbounded number of concurrent sessions. Recursive data types. {a,b,c,... } = {a, {b, {c,... }...} {...{{{a}k 1 }k 2 }k 3... Infinite data types (nonces) n 1, n 2, n 3,...

8 Crypto Protocol Analysis Formal ModelsComputational Models Belief LogicsModel CheckingInductive Proofs Dolev-Yao (ideal encryption) Probabilistic poly-time Random oracle (bit leakage)

9 Belief Logics Origin: Burrows, Abadi, and Needham (BAN) Logic (1990) Modal logic of belief (“belief” as local knowledge) Special constructs and inference rules e.g., P sees X (P has received X in a message) Protocol messages are “idealized” into logical statements Objective is to prove that both parties share common beliefs Example inference rule: Implicit assumption that secrets are protected! Good for authentication proofs, but not confidentiality P believes fresh(X), P believes Q said X P believes Q believes X

10 Model Checking Tools State-space search for reachability of insecure states History: back to 1984, Interrogator program in Prolog Meadows’ NRL Protocol Analyzer (NPA), also Prolog Early Prolog programs were interactive Song's Athena is recent, automatic General-purpose model-checkers applied Searched automatically given initial conditions, bounds Roscoe and Lowe used FDR (model-checker for CSP) Mitchell, et al used Murphi Clarke, et al used SMV Denker, et al used Maude Can only search a finite state space

11 Inductive Proofs Approach: like proofs of program correctness Induction to prove secrecy invariant General-purpose specification/verification system support Kemmerer, using Ina Jo and ITP (1989) (the first) Paulson, using Isabelle (1997) (the new wave) Dutertre and Schneider, using PVS (1997) Bolignano, using Coq (1997) Can also be done manually Schneider, in CSP; Guttman, et al, in strand spaces Contributed to better understanding of invariants Much more complex than belief logic proofs Full guarantee of correctness (with respect to model) Proofs include confidentiality No finiteness limits

12 Undecidable in General Reduction of Post correspondence problem Word pairs u i, v i for i = 1, …, n Does there exist u i1...u ik = v i1...v ik ? No general algorithm to decide Protocol: Compromises secret if solution exists Attacker can feed output of one instance to input of another Attacker cannot read or forge messages because of encryption Messages are unbounded receive {X,Y}K if X = Y  , send secret else send {Xu i,Yv i }K receive {X,Y}K if X = Y  , send secret else send {Xu i,Yv i }K The i th party Initial party send { ,  }K

13 A Decidable-Security Version: Ping Pong Protocols (Dolev-Yao ‘83) Abstract public-key encryption E a, decryption D a per party Reduction D a E a M = M Protocol accumulates operators on an initial message M Attacker intercepts messages and applies operators also M EaMEaM EaEaMEaEaM EbEaMEbEaM EaEa EaEa EbDaEbDa MEaMEaM EaEa EbDaEaEaMEbDaEaEaM Secrecy of M decidable in linear time

14 Bounded-Process Decidability Limit the number of legitimate process instances (Huima, 1999) Large class of protocols

15 Crypto Protocol Analysis Formal ModelsComputational Models Modal LogicsModel CheckingInductive Proofs Dolev-Yao (ideal encryption) Probabilistic poly-time Random oracle (bit leakage) Bounded-process decidableFinite-state Antti Huima, 1999 Symbolic states (extended abstract) Inspired subsequent work: Amadio-Lugiez Boreale Fiore-Abadi Rusinowitch-Turuani (NP-complete) Millen-Shmatikov (constraint solver)

16 Constraint Solving Parametric strand specification Finite scenario setup Generating constraint sets Solve constraint set (finds attack) or prove unsolvable (secure)

17 Parametric Strand Specification {A,N A } pk(B) {N B,N A } pk(A) {N B } pk(B) Protocol AB A-role strand +{A,N A } pk(B) -{N B,N A } pk(A) +{N B } pk(B) - Strand: node sequence - Node is directed message term - Role has variables in terms - Strand: node sequence - Node is directed message term - Role has variables in terms B-role strand

18 b1b1 b2b2 b3b3 m b2 m b1 m b3 a1a1 a2a2 a3a3 m a1 m a3 m a2 Semibundle Scenario a1a1 a2a2 a3a3 b1b1 b2b2 b3b3 m a1 m b2 m a3 m b1 m a2 m b3 c1c1 s - May have multiple role instances - s is the secret (skolem constant) - Strands distinguished by constant nonces - Search for bundle - Bundle instantiates variables - May have multiple role instances - s is the secret (skolem constant) - Strands distinguished by constant nonces - Search for bundle - Bundle instantiates variables A-rolesB-rolesTester Bundle: every received message is computable by an attacker (original “bundle” includes explicit attacker operation strands)

19 Constraint Set Generation a1a1 a2a2 a3a3 b1b1 b2b2 b3b3 s1s1 s2s2 s3s3 r1r1 r2r2 r3r3 Constraints r 1 : T 0, s 1 r 2 : T 0, s 1, s 2 r 3 : T 0, s 1, s 2, s 3 m: T means m can be computed from T received messages have computability constraint (T 0 is set of terms known initially to attacker) Enumerate all linear node orderings consistent with strands

20 Reduction Tree Initial constraint set No rule is applicable apply every possible reduction rule to first m:T where m is not a variable var 1 : T 1 var N : T N Always satisfiable! or A constraint set is solvable if it is reducible to a satisfiable set

21 Analysis Rule Example m : {t 1,t 2 }, T m : t 1, t 2, T (split)

22 Synthesis Rule Example {m} k : T m : T (enc) k : T

23 Unification Eliminates a Constraint m : t, T - (un) Unify left side term with some term on right Instantiate variables if necessary - part of solution

24 Encryption Decomposition m : {t} k, T (sdec) *Encrypted term is marked to avoid looping k : {t} k *, T m : t, k, T

25 Implementation Prolog Program Standard Edinburgh Prolog (can use public domain SWI or XSB) Short - three pages Fast - 50,000 interleavings/minute normally Easy protocol specification

26 NSPK for Prolog Solver strand(roleA,A,B,Na,Nb,[ recv([A,B]), send([A,Na]*pk(B)), recv([Na,Nb]*pk(A)), send(Nb*pk(B)) ]). strand(roleB,A,B,Na,Nb,[ recv([A,Na]*pk(B)), send([Na,Nb]*pk(A)), recv(Nb*pk(B)) ]). strand(test,S,[recv(S)]). A  B: {A, Na}pk(B) B  A: {Na, Nb}pk(A) A  B: {Nb}pk(B) Capital letters are variables Originated variables must be nonces Principals are not originated (Originated: appearing first in a send)

27 Scenario Semibundle and Query nspk0([Sa,Sb,St]) :- strand(roleA,_A,_B,na,_Nb,Sa), strand(roleB,a,b,_Na,nb,Sb), strand(test,nb,St). :- nspk0(B),search(B,[]). The secret and the principals sharing it are instantiated Other nonces are instantiated in originator strand Authentication test is also possible

28 Search Result ?- nspk0(B),search(B,[ ]). Starting csolve... Try 1 Try 2 Try 3 Try 4 Simple constraints: Trace: recv([a, e]) send([a, na]*pk(e)) recv([a, na]*pk(b)) send([na, nb]*pk(a)) recv([na, nb]*pk(a)) send(nb*pk(e)) recv(nb*pk(b)) recv(nb) a  e: {a, na}pk(e) ?  a: {na, nb}pk(a) a  e: {nb}pk(e) ?  ?: nb ?  b: {a, na}pk(b) b  a: {na, nb}pk(a) ?  b: {nb}pk(b) e is the attacker

29 Other Resources Information on CAPSL web site: ACM CCS-8 paper, "Bounded-process cryptographic protocol analysis" Prolog constraint solver program and NSL example Bibliography


Download ppt "Cryptographic Protocol Analysis Jonathan Millen SRI International."

Similar presentations


Ads by Google